PSA: Family Members May Be Able to Train Their Way Into Your iPhone X via Face ID

You might want to consider changing your iPhone X passcode to something unique if you want to insure complete control over your new phone around your family. As evidenced by several reports of siblings, half-siblings and other close family members being able to “trick” Face ID, this is the best way to lessen the odds of it happening. Why do you ask? Because knowing the correct passcode to unlock the phone is the key to training Face ID. The X’s neural network that governs Face ID only acknowledges facial input for machine learning upon a failed unlock attempt after a subsequent successful passcode unlock. It also learns any changes to your face over time after successful unlocks. If you are letting someone else you are related to unlock your phone via passcode, there is a possibility that they will be able to train their way into unlocking your X via Face ID if you look enough alike.

Andy Greenberg of Wired has really been killing it with his coverage of the ins and outs of Face ID so far. Today, he posted a story about a 10 year old boy being able to unlock his mother’s phone via Face ID. It is not made completely clear in the story whether the boy or his parents were entering the passcode after any of his unsuccessful attempts, but it IS clear that the phone eventually did learn his facial features, and once he gained access once or twice, he was able to get in consistently thereafter.

In the family’s tests after they discovered that he could unlock his mother’s iPhone X, the mother re-trained Face ID in ideal conditions. After this, her son was no longer able to access the phone. However, after she re-trained again in lower indoor light, which was closer to the conditions the phone was originally set up in, her son was able to fool Face ID again. However, he was only able to unlock his father’s iPhone X once. We don’t know how many times he tried before and after, or again, whether a passcode was entered, but we know he didn’t have the same level of success with both parents.

Does this spell doom and gloom for Apple? No, and anyone who tells you that it does is just spreading FUD. That said, it is a legitimate bump in the road that they will need to adjust to in near-future iOS 11 updates. Also, considering how much the entire population seems to be pulling out all the stops to find every potential crack in the system, it would be smart on Apple’s part to be proactive and let the public know that they are going to be updating and adjusting Face ID via updates based on how they see it working after a mass rollout. Anyone who knows Apple knows they were always going to be working the software behind the scenes, but it’s wise to make sure that everyone knows when it comes to device security.

This situation also points out the challenges with using facial features over fingerprints or iris scanning for security. While the accuracy of the TrueDepth camera technology may be much higher than TouchID and easier to implement en masse today than mobile iris scanners, we are also FAR more likely to share facial features with family members than we are fingerprints and eye vessels. Apple made their choice of technology, and now it’s time for them to act on the early results. Now that Face ID is in the field and Apple can gather data on how it is working (not data directly from the phone’s Secure Enclave, but success and failure data from those who agree to share with Apple during the iPhone setup process), they can tweak how the software that governs it learns facial features, as well as its unlock threshold. How they react over the coming months will say a lot about their commitment to device security and their customers’ satisfaction with it.

In the meantime, if you are worried about this right now, be sure to set your passcode to something unique that no one else knows. That should insure that no one in your family can “learn” their way into hijacking your Face ID. There will be a legitimate failure rate for any security technology, but this is going to be the most common cause of Face ID spoofing. Also, based on the evidence in the Wired story, consider finding a place with plenty of ambient light and re-training your Face ID in those conditions. That seemed to make a big difference in the testing done here, and it may indicate that Apple needs to adjust how Face ID training is done in less than ideal lighting conditions.

If these steps and the knowledge that Apple will certainly be tweaking Face ID on the fly aren’t enough to set your mind at ease, then you might consider moving away from the X and back to the iPhone 8 or 8 Plus for now. That’s a more radical step, but there will always be bumps that have to be smoothed out with security technologies that are rolled out at any kind of scale. Both Samsung and Apple have experienced this, and it will keep happening whenever new technologies and techniques appear. That is reality backed up by plenty of recent history. If you don’t like the leading edge, then maybe it’s best to wait a year for things to shake out and adjustments and improvements to be made.

As for myself, I will definitely be trying this out with my kids when I get home this evening. I can’t resist, and I will write about it and try to get some video of the testing, as well. None of my three kids looks exactly like me or my wife, but the 10 year old boy in the Wired story isn’t the spitting image of his mother, either, so who knows what the results will be. I’m interested to find out. I will definitely post about it sometime this week.